Splunk Search

Set the Host Field to the value of a column in a DB Connect input

mavidales
Engager

One of my database inputs has a column named Server which contains the hostname for whichever machine an app is running on. It would be nice if the host field could map to whatever value is in that column at the time it is brought in, but I haven't found a way to do that.

There's some other questions about how to do something similar with other input types (files, via parsing), but I haven't seen one that I've been able to get working for a database input.

I suppose I could create a new input for each machine that will show up in there (custom query) and then set the static Host Field value to it's hostname but right now I'd rather just have one input.

Tags (2)
0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

if your inputs.conf is like this:


[dbmon-tail:........]
sourcetype=table_with_host

and the field name in table is host_name.

you can set up props.conf and transforms.conf to replace the host name in indexing time.

props.conf:


[table_with_host]
TRANSFORMS-host_rename=rename_host_by_field_host

transforms.conf:


[rename_host_by_field_host]
SOURCE_KEY=fields:hostname
DEST_KEY=MetaData:Host

document could be refer to:

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Overridedefaulthostassignments

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...